Multi-Factor Authentication and One Time Passcodes (OTP)

Hancock College's SSO system requires many employees to use a Multi-Factor Authentication. Protecting an account with Multi-Factor Authentication is optional for students.

How Multi-Factor Authentication Works

Multi-factor authentication is a security concept that requires a user to produce two pieces of information. The first, is something the user knows – like a password. The second, is something that the user has – such as access to a specific email account or a specific cell phone number. By requiring a user to produce two pieces of information an SSO system has greater confidence that the user is who they claim to be.

Multi-factor authentication is now required at Hancock College for access to certain sensitive applications such as Banner Admin pages. Users who use those applications will have an additional step to logging in for those applications. However, when those users log in to services not requiring multi-factor authentication, they will only be required to enter a valid username and password.

Multi-factor authentication can optionally be turned on by users but is not required. If this option is turned on by a user, all logins will require the additional multi-factor step.

How to Opt-In to Multi-Factor Authentication

Opting in to Multi-Factor Authentication is done on the ​​Account Management page which can be found at https://hancockcollege.onbio-key.com/. Clicking the "Enable/Disable Multi-Factor" heading will expand the setting and show the current status. (Users who are required to use Multi-Factor Authentication will not have this as an option.) To enable Multi-Factor Authentication click the "Enable Multi-Factor for my account" link and click "OK" on the resulting dialog message.

Mutli-Factor Authentication Methods

There are several multi-factor options available at Hancock College. They include:

• Personal Email Address – an email address that does not include hancockcollege.edu
• SMS/Text Message – a cellular phone number capable of receiving SMS text messages
• Google Authenticator Phone App - an Android and iPhone application which can be opened at the time of logging in to generates a one-time password.
  • Android play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
  • iOS https://apps.apple.com/us/app/google-authenticator/id38849760
• Security Key – a device which plugs into your computer’s USB port and is meant to be taken out of the computer when the user is away. (https://www.yubico.com/store/#security-key-series)
• Help Desk – the Help Desk will be able to provide users a one-time password which they can use. This should only be used as a fallback method when a user has not setup any other multi-factor methods or no longer has access to the methods above.

A logged in user can view the current Multi-Factor Authentication destinations at the Account Management page. Each of the available Multi-Factor Authentication methods will have its own section, which can be expanded by clicking on the heading. Some of these methods can be configured in the the Account Management page, while others need to be entered in Self Service Banner.

Updating Multi-Factor Authentication

The myHancock Portal's dashboard displays the current username, OTP email address and OTP phone number for a user in a widget named Account Info. Updating personal email and phone number for OTPs can be done by clicking the "Update Personal Information" button.

 

Personal Email Address - a personal email address can be updated by using the Personal Information form on Banner Self Service or on the myHancock portal Account Info widget.

To update the "Personal and Password Reset Email" address, click the pencil icon below the email address and enter a new address.
 

Only one personal and password reset email address can be used.

SMS/Text Message - an SMS capable cell phone number can be added via the Personal Information form on Banner Self Service. To set the default phone number used to deliver One Time Passcodes the "Text Message" phone type must be used. To edit an existing Text Message number click the pencil icon below the phone number and enter a new number. To add a new phone number, click the "(+) Add New" link, select a "Text Message" type and enter the new number.

Additional, backup phone numbers can be added on the Account Management page by expanding the "Registered Phones" section and following the prompts to enter a phone number. Phone numbers entered through this method can not be used as the default OTP delivery method, but they can be used to deliver an OTP by clicking on the "Problems with OTP?" link on the OTP entry form.

Mobile Authenticator - a smart phone application can be installed to provide you with an OTP. ITS recommends the Google Authenticator app. To add the app:

• Visit your phone's app store and search for "Google Authenticator" or go directly:
  • Android play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
  • iOS https://apps.apple.com/us/app/google-authenticator/id38849760
• Log into the portal and click on the "One Time Passcode Settings" on the Account Info widget, or go to https://hancockcollege.onbio-key.com
• Expand the "Mobile Authenticator" section on the Account Management page.
• Click the link to open the app store for your phone operating system.
• Once the app is installed click on the "Enable mobile authenticator" link on the Account Management Page and select the correct phone type and  press "continue".
• A QR code will appear on the screen:
• Open the authenticator app on the phone and tap the "Add a Code" button. (The phone might prompt for permission to use the camera, which needs to be allowed.)
•  
• Tap the "Scan a QR Code" button
• 
• Scan the QR code with the phone's camera in the Mobile Authenticator app
• Take the 6 digit number from the phone app and enter that in the "One Time Passcode" field in the Account Management page in the web browser 
• Click and tap "Continue"  on the Account Management page.

 

FIDO2/Web Authentication

FIDO2 and Web Authentication are names for a newer standard that Hancoock College is now supporting for hardware based authentication. Specifically, Hancock College is support the use of FIDO2 keys which are a small device that plug into the USB port of your computer. Hancock College is currently supporting the YubiKey5 series:

To begin setup of the FIDO2 Key:

• Log into the portal and click on the "One Time Passcode Settings" on the Account Info widget, or go to https://hancockcollege.onbio-key.com
• Expand the "FIDO2 / Web Authentication" section on the Account Management page
• Click the link "Add new FIDO2 WebAuthn Device"
• Give your FIDO2 key a name, this is for you own use. Examples include "USB Key", "Security Key", "Black Key", "FIDO2"
• Select the "Removable USB or Bluetooth" option
• Insert your FIDO2 key into an open USB port
• Click the "Start Registration" button
• The computer will ask where to save the passkey - choose "Security key"
• Click "OK" on the window titled "Security key setup"
• A window might popup asking you to "Tap your security key on the reader or insert it into the USB port". Insert the key if you have not already or wait until the next window is shown.
• A window titled "Continue setup" will ask you to "touch your security key" - the gold circle on the key should illuminate and flash, tap the gold contact with your finger.
• Finally, you will see a confirmation that the passkey has been saved, click the "OK" button and the FIDO2 Web Authentication OTP should now be available to you.

One Time Passcodes

Logging in with a One Time Passcode

When a user has Multi-Factor Authentication enabled, one additional step is added to the log in process. Following a correct username and password entry the user will see form requesting the user enter a One Time Passcode (OTP):

This passcode is a multi digit number which verifies the user from one of the Mutli-Factor Authentication delivery methods. When the form opens an OTP is sent to the user's default Mutl-Factor Authentication delivery method. If the default method is not available the user can click the "Problems with OTP?" link which will give the user options to enter in any additional Multi-Factor Authentication delivery methods.The email address and phone numbers will be partially masked for security. Clicking on the "Send OTP as ...." link will trigger an SMS or Email to be sent or a prompt will be brought up to use the Mobile Authenticator App or enter a Help Desk provided OTP.

Remembering the Browser

Because the process of entering an OTP at logon can be cumbersome, the "Remember this device?" checkbox will remember the users session for one week. The user will still need to log in through SSO after signing out or every 4 hours, but the One Time Passcode form will not need to be entered again. Once checked, an input titiled Browser Descrpition will popup with the name of your web browser and the date, The defaut text can remain.

The "Remember this device?" checkbox is per browser session. The user will need to perform this on every browser and computer. Checking this box in an incognito mode browser window not save the session. Any sort of clearing of cookies might impact the browsers ability to save this setting.

Changing Default One Time Passcode Delivery Method

The user can control which delivery method is used to send the OTP after entering the user's password. This can be configured in the Account Management page by expanding the Mutli-Factor Delivery Methods section.

In this section a user can determine which Multi-Factor Authentication method is to be used for each type of action that requires an OTP. To update the Muti-Factor method for normal logins the user will click the "Change" button at the end of the "Website Login" row. Below, all available methods will be shown and the user can select a new method and click continue. Users can set the OTP methods used for account unlocks and password changes.

Common Problems with One Time Passcodes

 

OTP Delivery Error

If a user has Mult-Factor Authentication turned on and the user does not have a personal password reset email address set, the user will see an error message like the one below:

A personal email address must be added to Allan Hancock's Banner system to give the user the default Multi-Factor Authentication method of an email address. To resolve this issue:

• Employees should contact the Help Desk at ext. 3345 or helpdesk@hancockcollege.edu 
• Students must visit or call Admissions and Records. The student should ask the Admissions and Records staff to update their "Personal Email Address". The student will need to prove their identity to Admissions and Records staff.

 

OTP Delivery Method Unavailable

When an OTP is required for a user to login or change a password, the user might find that the default method the OTP is being sent is no longer accessible or is incorrect. It is possible the user has another OTP delivery method set up, such as an SMS phone. Click the "Problems with the OTP?" link. This will bring up a list of all the available OTP delivery methods available to the user. If one of these methods such as a phone number is accesible by the user the user can click the "Send OTP as SMS" link to send a new OTP to the number listed. 

If none of the methods on the "Problems with the OTP?" link page are accessible the user will need to contact staff at Hancock College. 

• Employees should contact the Help Desk at ext. 3345 or helpdesk@hancockcollege.edu 
• Students must visit or call Admissions and Records. The student should ask the Admissions and Records staff to update their "Personal Email Address". The student will need to prove their identity to Admissions and Records staff.

 

Browser Does Not "Remember Me"

Using the "Remember Me" checkbox is a feature that enables users to only have to enter an OTP every time they log in. This feature does depend on browser functionalilty known as cookes. Sometimes the setting of cookies is disabled by the user's browser. Visiting a site using a browser's Incognito or Private browser mode will not persist a user's preference to be remembered by SSO. Also settings in Chrome and Firefox can enable all cookies to be reset after closing the browser window. This will remove the broweser's ablility to keep a user loggged in to Hancock College's SSO. A Chrome user can check these browser settings by:

• Go to chrome://settings/
• Scroll to the “Privacy and Security” section and click the “Cookies and other site data” section 
• Make sure the “Clear cookies and site data when you quit Chrome” option is unchecked: 

For Firefox users:

• Go to about:preferences
• Click on “Privacy & Security”
• Scroll down to the “Cookies and Site Data” section and confirm that “Delete cookies and site data when Firefox is closed” is unchecked.